wil6210: Sanity check for reported DMA length
If Rx descriptor contains garbage, it is possible to access memory beyond
allocated buffer.
Check this condition and drop Rx if reported length is
unreasonable large
Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
index 6a20f0a..92f1821 100644
--- a/drivers/net/wireless/ath/wil6210/txrx.c
+++ b/drivers/net/wireless/ath/wil6210/txrx.c
@@ -349,7 +349,13 @@
d1 = wil_skb_rxdesc(skb);
*d1 = *d;
+ wil_vring_advance_head(vring, 1);
dmalen = le16_to_cpu(d1->dma.length);
+ if (dmalen > sz) {
+ wil_err(wil, "Rx size too large: %d bytes!\n", dmalen);
+ kfree(skb);
+ return NULL;
+ }
skb_trim(skb, dmalen);
wil->stats.last_mcs_rx = wil_rxdesc_mcs(d1);
@@ -362,8 +368,6 @@
wil_hex_dump_txrx("Rx ", DUMP_PREFIX_NONE, 32, 4,
(const void *)d, sizeof(*d), false);
- wil_vring_advance_head(vring, 1);
-
/* no extra checks if in sniffer mode */
if (ndev->type != ARPHRD_ETHER)
return skb;